Skip to content

SNMP Trap

SNMP Traps#

Overview#

The ML Pack for SNMP Traps listens for incoming SNMP traps from external devices, translates them, and makes them visible from the Unryo console.

Learn how Unryo receives SNMP Traps and converts them in alerts#

Every trap sent to Unryo is processed at multiple stages, for normalization, enrichment and conversion (if need be) into an alarm visible in the Unryo console.

  • Stage 1: Trap Reception: The Unryo collector listens for incoming traps on port UDP/162 (default). If the trap is defined in a MIB file, the collector will translate trap variables.

  • Stage 2: Trap Normalization: In addition to trap variable translation (using the MIB file), the Unryo collector normalizes traps by setting new tags from the existing ones. This enrichment adds all the necessary context to align data and ensures correlation.

  • Stage 3: Alerts Creation: The Analytic Engine generates an alarm for every trap that has Notify=TRUE. Alarms are visible into the Unryo Alarm Console. Admin can configure notifications if need be (email, logs, ...)

Enabling Trap Reception#

Go in Configuration Management.

image

Click on the + button to add a new configuration.

image

Select the template Snmp Trap Receiver. Select the Collector on which you want this configuration to be deployed; and provide a Configuration Name that is meaningful for you. The Description is optional.

image

In the template, uncomment the following line to listen on the udp port 162.

service_address = "udp://:162"

You don't need to modify other options, however other configuration options are possible. Browse the template to discover them.

Once done, click Apply to start listening for incoming traps.

Testing traps#

You can test if Unryo is configured correctly by generating some test traps:

Link Down trap: snmptrap -v2c -c public your_unryo_collector_ip '' IF-MIB::linkDown ifIndex i 2
Link Up: snmptrap -v 2c -c public your_unryo_collector_ip '' IF-MIB::linkUp ifIndex i 2
Authentication failure: snmptrap -v2c -c public your_unryo_collector_ip '' 1.3.6.1.6.3.1.1.5.5
ColdStart: snmptrap -v2c -c public your_unryo_collector_ip '' 1.3.6.1.6.3.1.1.5.1
WarmStart: snmptrap -v2c -c public your_unryo_collector_ip '' 1.3.6.1.6.3.1.1.5.2
Cisco Specific trap: snmptrap -v2c -c public your_unryo_collector_ip '' 1.3.6.1.4.1.9.9.43.3.2.6

You should see your traps from the Unryo Collector, in the dashboard "SNMP Traps".

Adding a MIB file#

The Unryo collector comes prepackaged with a set of MIB files to translate a maximum of traps into meaninful names. To add a missing MIB file, open a session on your collector host, and copy the MIB file to the container:

docker cp *.mib <container_id>:/usr/share/snmp/mibs/ 

Trap Normalization#

Trap normalization creates new tags or transform existing tags, so that the data is aligned and ready for unified reporting, trap-to-event generation and correlation.

In particular, normalization consists of: - assigning core tags, such as resource, resource_type, technology. - enriching trap with category-context, used to classify them and control if you want them converted as an alert or not.
- mapping unknown traps: if the trap is unknown (form example you don't have to MIB file), you can force a custom mapping.

Go in Configuration Management.

image

Go in the Tagging panel, then edit the SNMP Traps CSV configuration.

Define your trap(s) by adding a new line containing the trap OID and the tag values you want to set.

Unryo comes also with prebuilt normalization templates for standard traps and some vendor-specific traps. To browse them, go in the Metrics panel and seach for templates containing the keyword Parsing

Converting Traps into Alerts#

If you want SNMP Traps converted as alerts visible from the Unryo console, and not just available for reporting, you have to activate the Snmp Traps To Alarms alert configuration.

Go in Configuration Management.

image

Go on the Alert Definitions panel, and search for the Snmp Traps To Alarms configuration.

You don't need to modify the content, except if you have specific requirements. Make sure the policy is set to Enable to have SNMP traps converted as alarms.